Data Processing Addendum

1. Roles of the parties

This Data Processing Addendum (“DPA”) summarises how HAiCapita processes personal data on behalf of a customer organisation that uses the Services. When you process personal data in your workspace, you are the controller and HAiCapita is the processor, acting only on your documented instructions. This page is a plain-language summary; a signable DPA is available on request (see below).

2. Subject matter, duration and purpose

We process personal data only to provide and support the Services for the duration of your subscription and any agreed wind-down period. The categories of data and data subjects are those you choose to put into the platform — typically your administrators and the employees you enrol in security-awareness, training or simulation activities.

3. Our processor commitments

• Process personal data only on your documented instructions.
• Ensure personnel are bound by confidentiality.
• Apply appropriate technical and organisational security measures (encryption in transit and at rest, access control, audit logging).
• Engage sub-processors only under equivalent obligations, and tell you before material changes (current sub-processors: SendGrid, Cloudflare).
• Assist you with data-subject requests, security, breach notification and impact assessments.
• Delete or return personal data at the end of the service, subject to legal retention.

4. Location and transfers

Managed-service data is stored in HAiCapita-operated PostgreSQL and MinIO with MENA data residency. Where any transfer outside your region is involved (for example email routing via SendGrid), we put appropriate safeguards in place. Air-gapped deployments keep all data within your own infrastructure with no external transfer.

5. Requesting the signable DPA

To receive the full Data Processing Addendum for signature, or our list of sub-processors and security measures, email [email protected] with your organisation name and the contracting entity. We will return the document for your review.